Pentagon expanding public-private cyber information sharing program

Rather than wait for Congress to pass legislation enabling private companies to send information about cyber attacks to the U.S. government, the Pentagon is expanding a little-known program allowing defense contractors to share information with the government about cyber espionage and attacks against them.

In recent years, U.S. defense contractors have famously been hit by cyber attacks compromising information on high-profile weapons systems, such as the $1.5 trillion F-35 Joint Strike Fighter program. In the case of the F-35, the attacks have led to costly software redesigns and production delays.

To remedy this, the Defense Industrial Base Cybersecurity and Information Assurance (DIBCIA) program was established several years ago as a voluntary partnership between defense contractors with security clearances and the government, aimed at sharing information on cyber threats and even providing companies with assistance from U.S. intelligence agencies in defending against cyber threats.

Now, the Pentagon is opening up DIBCIA to a broader swath of companies.

"If you’re a Defense Department contractor with a facility clearance, we want to share classified threat information with you," said Richard Hale, the Pentagon’s deputy chief information officer for cyber during a Sept. 27 cybersecurity conference in Washington. "It’s a voluntary program. We’ll share with you, you share with us. We also have a second part of that program that allows you to get security services from a service provider that’s getting classified information and using it to protect you."

DoD is now working with the Department of Homeland Security to develop a similar program that would allow companies responsible for maintaining critical infrastructure — banks, utilities, Internet service providers, etc. — the ability to share information on cyber threats with DHS.

"We’re teamed closely with [the Department of Homeland Security] to see if DHS can expand this model out to other critical infrastructure," said Hale.

This comes as Pentagon officials revealed that they plan to work with private companies to develop incentives to meet high standards to defend against cyber attacks via counterfeit or compromised electronic parts in their supply chain (this is either a major threat or completely overblown, depending on who you ask).

So far, these efforts between DoD and defense contractors to share information and defend against cyber threats have been "enormously successful," Eric Rosenbach, deputy assistant secretary of defense for cyber policy told Killer Apps earlier this month.

Rosenbach went on to describe the part of the information-sharing subset of DIBCIA whereby U.S. intelligence agencies analyze cyber threats on behalf of defense contractors via something called the Defense Enhanced Cybersecurity Service, (DECS).

"We wanted to create a new model for trying to protect information, so we are using specialized [threat] signatures [known to] the intelligence community, giving them to Internet service providers, who then screen the Internet service traffic" to protect defense companies who subscribe to the service, said Rosenbach.

He insisted that the intelligence community does not see the actual web traffic — and therefore private citizens’ information — running across the networks of Internet service providers (ISPs); it merely gives information and analysis about malicious signatures to the providers who can be on the lookout for them.

"The part that’s unique is the intelligence community involvement, just giving them the signatures. The intelligence community does not scan the traffic, see the traffic, see any of the results of scanning, so they’re completely separate. They just give the special sauce, so to speak," said Rosenbach, referring to the information on advanced cyber threats given by intelligence agencies to the ISPs.

Defense contractors pay for this service and "the only thing that the government provides [is the analysis of] these specialized signatures and the ISPs are responsible for making sure it all runs," added Rosenbach.

Those signatures are "basically a string of numbers in hexadecimal format that’s mostly unintelligible unless it’s read by a machine or an antivirus program," said Rosenbach. "That type of information, technical information, is what’s most valuable to information sharing. It’s not the personally identifiable information that we’re interested; it’s the type of information that could help you stop an attack if you know what you’re looking for."

DECS, the part of the program aimed at sharing the threat signatures with intelligence agencies, "ran in pilot mode" for several years and was finally cleared to expand in the spring of this year, DoD Chief Information Officer Teri Takai told Killer Apps during the same interview as Rosenbach.

"It’s something we think could be expanded to possibly work for protecting critical infrastructure and other parts of the federal government," said Rosenbach.

"We’ve got a queue of companies that are interested in joining, we’ve got other federal agencies that are interested in coming aboard, and we’ve got other federal agencies that are interested in either using our program or creating a similar program," added Takai.

Congress has repeatedly tried and failed to pass legislation that would allow and encourage private companies to share information about cyber security threats with the U.S. government. Many of these bills have been met with strong opposition from civil liberties groups — and in some cases the White House — who claim that companies could unnecessarily gather and share private information about U.S. citizens with the government, in the name of cybersecurity. Supporters of these bills argue that real-time information sharing between critical infrastructure providers and the government is required to defend against advanced cyber threats.